I have a .net core web API server that I connect to from a mobile application. The server creates an invoice on Xero and sends the user an email etc...
I have been using oAuth 1 with no issues, but now need to switch to oAuth 2. As there is no front end-user on the API server, can this still be accomplished?
All the documentation I read, seems to need a manual login to grant authorization and get an access token?
I was using the XeroApi settings in my appsettings.json file with a pfx certificate and a private app.
I am using the C# SDK
Thanks in advance :-)
You'll need a user from the Xero organisation to go through the OAuth2.0 flow at least once to retrieve an access token. If you request the offline_access scope during this flow, you'll receive a refresh token as well; this will enable you to refresh the access token from your web server on an ongoing basis, without user intervention.
So yep, you'll need a manual login at least once, but as long as you request & retain the refresh token from that initial flow, once should be enough.
Related
I have a Next.js website I'm working on and a dotnet core API connected to a SQL Server database. I have a login page and intend to create a page to add new users and was wondering how I could do this using dotnet core identity? I added the NextAuth.js package thinking I could utilize it, however it seems to work best if connecting directly to the database and not go through an API.
I managed to return the token to NextAuth.js but I don't know where to go from there. How can I use next-auth to manage the session? Or is there a better way to go about doing this without using NextAuth.js?
My reason for using dotnet core identity is because it already has support for roles and setup is fairly simple and makes authorizing different sections of the API easy. Based on a user's role, they should be authorized to access certain routes or view certain pages.
I tried looking at the following doc from microsoft Intro to auth for SPA, but it's not exactly clear to me how I can manage the session.
First, generally, when we using JWT authentication, the workflow as below:
Client sends a request (which contains the user information, such as: name and password) to server for token
Server receives the user information and checking for authorization. If validated success, server generates a JWT token.
Client receives the token and stores it somewhere locally.
Client sends the token in the future requests.
Server gets the token from request header, computes Hash again by using a) Header from token b) payload from token c) secret key which server already has.
If ("newly computed hash" = "hash came in token"), token is valid otherwise it is tempered or not valid
After configure your application uses Identity and JWT authentication. When a User login, you could send the user information to the server side and check if the current user is valid or not, then generate a JWT token, and on the client side you could store the token in the web storage. After that, when you want to access the resource by passing this token into the authentication HTTP header. More detail information, please refer to the following article: JWT Authentication In ASP.NET Core
I have an application which is sitting behind WAF (Web Application Firewall).
Application is using Microsoft Active Directory for authentication.
Here are the steps
User try to access the application using the browser.
WAF layers see that REQUEST is not authenticated, hence forward it to Azure Active Directory
AAD shows the login page and the user enters username/password/MFA
Now token from AAD send back to the browser and it will be sent to the backend application
Now question is,
How backend application verify this token? Does it need an outbound connection to AAD or will it talk to AAD through WAF and browser?
Do I need to have NSG rules (outbound ) to talk with AAD?
It depends on which auth flow you are using.
For Authorization code flow, your application would need to talk to AAD to redeem auth code for access token and refresh token via back channel. So, you would need to allow connection to AAD (login.microsoftonline.com).
For Implicit grant flow, it's browser which directly gets access token from AAD via front channel. So, in that case, you won't need whitelisting in backend WAF.
I have resolved the issue by using service tag feature in NSG. Backend application need to be able to reach AAD in order to validate the access token.
I have added outbound rule with Destination Service Tag Azure Active Directory as shown below.
Here is the link: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview
I am using C# Web API and the Microsoft OWIN OAuth Namespace to grant a user an access token when they have successfully authenticated. When they authenticate, I also set up some caching of user related information.
I'm trying to determine a way to determine when a user's access token will expire, so that I can invalidate and clear the server side cache for that user.
What is the accepted way to do this using token authentication?
You can create a cron job for database as a turn to clean database.
Cron job for linux base.
Scheduled Task for windows.
I am going through Web Api in Asp.Net using Visual Studio 2013.I am using Asp.Net Web Api Template.I am able to build a simple client that can register and login with the API.I got Bearer Token When user login and i send this token in header for accessing data from my API.Now i wanted to know how this Token in get/post request is working in API side.
When i made this API work with Windows Azure Storage I have not seen any table that saves these token corresponding to users.so where these token goes.
I can't speak for these particular tokens, however other token frameworks that I used (DotnetOpenAuth) just encrypt the username and access scope and create a ticket out of it.
It is similar to what the Forms Authentication module does. There is also no table to map issued cookies to users and this is because the cookie can just be decrypted at the server side.
Think about the token as a standalone encrypted information rather than an internal id to data that has to be persisted at the server side.
I want to start with graph Api in windows application. I created a facebook app and see some articles about graph Api but unfortunately I did not understand. I want to get data like: Messages, Events, Friends, Wall posts,... from facebook.
What is the first step for this?
What is access token and if it is a constant string or changes for every request?
Do you have a very basic sample for this?
Any help will be so appreciated.
Access token will expire in 2 to 3 hours and we can extend it for 60 days. For that we need to create an application in facebook. And based on this access token will be vary and not constant.
** What is Access Token **
An access token is a random string that gives an app temporary and secure access to Facebook APIs. And access token can be created on behalf of a person, a Facebook Page or an app. The token is generated in the last step of the login flow. Facebook SDKs handle the generation and storage of tokens automatically. Apps using other methods will need to follow the login flow to create tokens.
The token stores information about permissions that have been granted as well as information about when the token will expire and which app generated it. To maintain information security, almost all API calls at Facebook need to have an access token passed in the parameters of the request.
Go through this link for Graph API